First we will need to dump the memory in Ollydbg. We can do this by right click on code, Backup, Save data to file, then save it. The next step we will need the address of the import table. Once we have the import table address we will need to view it in Ollydbg's dump window. The best way to view the import table is using Ollydbg's Long Address view.
Now we will need to select all the API names, copy them to the clipboard, and save them to a text file. This will give us an output as seen below.
0087E000 7C865B1F kernel32.CreateToolhelp32Snapshot 0087E004 7C80981E kernel32.InterlockedExchange 0087E008 7C809A1D kernel32.LocalAlloc 0087E00C 7C8017E9 kernel32.GetSystemTimeAsFileTime 0087E010 7C810E17 kernel32.WriteFile 0087E014 7C80BC06 kernel32.OpenFileMappingA 0087E018 7C81CAFA kernel32.ExitProcess 0087E01C 7C82F863 kernel32.CopyFileW 0087E020 7C810B07 kernel32.GetFileSize 0087E024 7C8094EE kernel32.CreateFileMappingA 0087E028 7C80B995 kernel32.MapViewOfFile 0087E02C 7C810FC2 kernel32.lstrcatW 0087E030 7C830779 kernel32.GetTempPathW 0087E034 7C80B55F kernel32.GetModuleFileNameA 0087E038 7C80AEDB kernel32.LoadLibraryW 0087E03C 7C8099BF kernel32.LocalFree 0087E040 7C90FE01 ntdll.RtlGetLastWin32Error
Now we will need to open up the memory dump in IDA. The memory image base will need to be changed to the start of the allocated memory. In the example above the base address was 0x00870000. To do this in IDA click on Edit, Segments, Rebase program..., then add the address to the value field. Odds are when IDA loaded the file up it identified code. If not you will need to find the entry point or an address that we know is code and press 'c'. If we are lucky IDA will have found some jmps to some dwords.
An anonymous user left a helpful comment "if you drop the DLL prefix and run auto-analysis once more, you even get parameter propagation, granted you have the proper type library loaded.". I have modified the original code and image to reflect their helpful comment. To reanalyze in IDA right click on the bottom left hand corner of IDA and the choose reanalyze the program.
from idaapi import * import idautils import idc class OLLYDBG_ADDR_TO_IDA: def __init__(self): self.fileName = AskFile(0, "*.*", 'Ollydbg Address Exported') self.content =  self.getFile() self.renameAddr() def getFile(self): try: self.content = open(self.fileName, 'r').readlines() except: return def renameAddr(self): for addr in self.content: list_addr_name = addr.split() if len(list_addr_name) != 3: continue api_addr = int(list_addr_name,16) api_name = list_addr_name.split('.') MakeNameEx(api_addr, api_name, SN_NOWARN) OLLYDBG_ADDR_TO_IDA()
If you didn't know IDAScope has been released. DOWNLOAD